Did you get our email?
If you got an email from us with a personalized Security Snapshot link — that's us. The grade and findings on that page are real, generated from public DNS and headers your site already broadcasts. We didn't log into anything. Share the snapshot freely with your board. Want a 15-min walkthrough of the findings? Free, no pitch.
Book my walkthroughWhy this is the year to fix it.
Cyber insurance renewals
Insurance carriers tightened their questionnaires in 2025. Most LA nonprofits and small businesses we scan fail at least three of them: DMARC, MFA enforcement, and an incident response plan. Failing one questionnaire can double your premium or void coverage.
California breach notification law
California's notification laws assume you have controls in place: encryption, access logs, an IR plan. If you don't, the regulatory exposure after a breach is larger than the breach itself. SB-553 and related rules apply to organizations smaller than most owners realize.
Donor and client due diligence
Foundations, major donors, and B2B clients are starting to ask: "What happens to our data if you're breached?" If you can't answer in one paragraph, you're going to start losing grants and contracts to organizations that can.
What you get
Five ways to work together. Each one ends where the next one begins. No pressure to climb.
The Snapshot
FreeA 5-minute non-invasive scan of your website and email. Letter grade, plain-English findings, exact fixes. Hosted online so you can share with your board.
The Readout Call
Free, 30 minAfter your Snapshot, we hop on a 30-minute call. I walk through your findings, answer your questions, and tell you which fixes are 5 minutes and which need real work. No pitch. If a single call is all you need, great.
The Foundation Audit
A one-week deeper look. Email security plan, Microsoft 365 / Google Workspace review, public web surface scan, identity and access review. You get a 12-page board-ready report and a 60-minute walkthrough with your team.
$3,500–$5,500 · one-time
The Hardening Sprint
4–6 weeks. We don't just find the issues. We fix them. DMARC rolled out from monitor-only to enforcing. HTTPS hardened. Conditional access policies deployed. Stale admin accounts cleaned up. Written IR plan tailored to your org. Tabletop exercise with your leadership.
$12,000–$18,000 · one-time
ERP Implementations
End-to-end ERP implementations for small-medium businesses and nonprofits. We manage the technical migration, system hardening, access controls, and workflow integration so your new system is secure by design from day one.
Quote on inquiry
Most clients continue with ongoing support after their Sprint. We'll discuss what makes sense for you when we wrap. No monthly retainers sold up front.
What this looks like in practice
Before
When we started, their domain could be spoofed by anyone, two of their three admin accounts didn't have MFA, and their main donation page was loading scripts over plain HTTP. Their board was about to be asked for a cyber insurance renewal answer they couldn't give.
The Work
Over 5 weeks: DMARC went to p=reject. MFA enforced across all admin accounts. Donation page hardened, mixed content removed. Written IR plan delivered to the board. Tabletop with the leadership team.
Outcome
Renewed insurance at last year's rate. Board signed off on the security posture for the first time. Two follow-on referrals to peer nonprofits. Fixed-fee investment: $12,000.
Who you're hiring
Hi, I'm Ross.
I started Shaw Cybersecurity Services because every LA nonprofit and small business I talked to had the same story: they knew they were exposed, they couldn't read what their IT vendor was telling them, and they couldn't afford to hire a full-time security person.
I've spent four years doing paid cybersecurity work (and ten more before that on my own time, which is a story for the call). I've delivered web application pentests, set up OAuth and identity systems, hardened Active Directory and Microsoft 365 for organizations at scale, written HIPAA Risk Analyses, scoped PCI DSS engagements, and run incident-response tabletops with executives.
I'm not a Fortune-500 cybersecurity firm and I don't want to be. I want to be the person your ED or your office manager can text when something feels off.
The LLC is real, the insurance is real, the work is real. If you'd like proof, run your free Snapshot above. The output is mine. The honesty is, too.
What we don't do (and why we'll tell you)
Most security consultancies will sell you anything you ask for. We won't. Here's what's outside our lane, and the kind of partner we'll introduce you to instead:
| What you might need | What we do |
|---|---|
| Full SOC 2 readiness or audit | We hand you to a Drata, Vanta, or Secureframe partner shop. |
| Multi-account AWS architecture, Terraform, CSPM | We refer you to a cloud-native security firm. |
| 24/7 SOC, SIEM build-out, detection engineering | We refer you to an MDR (Arctic Wolf, Huntress, Red Canary). |
| Active ransomware response right now, today | We refer you to a regional DFIR firm. We'll be there for the rebuild after. |
When we're not the right fit
Honest answer: if any of these is true, we're probably not the right call right now.
You have fewer than 10 staff and no online donations or stored client data.Free resources from CSNP and Nonprofit Cyber are better starting points.
You're in active regulatory enforcement (FTC, HHS OCR, state AG).You need a breach-response attorney first, then a DFIR firm. Come back to us for the rebuild.
You want someone to fix it without your involvement.Security is partly cultural. We need 30 minutes a week from someone on your team (usually the Executive Director or office manager) or the work doesn't stick.
Common questions
How is the free Snapshot different from a Bitwarden / Google security checkup?
Those check one product. Our Snapshot looks at your public domain, email authentication, and web headers. The same surface attackers and insurance carriers scan. It's a starting point, not a substitute for your existing tools.
Will the Snapshot leave anything on our systems?
No. It's all read-only public information: DNS records and HTTP headers your site already broadcasts. We don't log into anything.
Can we share the Snapshot with our board?
Absolutely. The report has its own URL. Forward it, screenshot it, or include it in your board packet. It's yours.
We're a small business, not a nonprofit. Does this apply?
Yes. The same controls that protect donors protect customers, patients, and clients. We work with LA law firms, medical and dental practices, accounting firms, brokerages, marketing agencies, e-commerce shops, and schools. The package prices are the same.
What if we already have an IT vendor?
Most of our clients do. We complement them. We focus on the security-specific work most general-IT vendors don't have time for. We'll happily coordinate.
Are you insured?
Yes. Shaw Cybersecurity Services LLC carries Professional Liability / E&O insurance. Certificate available on request.
Want to skip the line?
Don't want to run the Snapshot or climb the package ladder? Just need help right now? Send us a quick request, email, or book a time to talk.